On July 1, Illinois will enact the Student Online Personal Protection Act (SOPPA). This is an important step toward ensuring the security of student data collected by third-party operators such as educational technology companies. With SOPPA (105 ILCS 85/1 et seq.), Illinois joins a growing number of states enacting legislation specifically designed to address the timely issue of student privacy.
The threat that cybercrime poses to students cannot be ignored. This is especially true because of a significant uptick in security breaches involving K-12 schools in recent years. As schools migrated to remote and hybrid technology-based education during the 2020 pandemic, the number of school-related cyber incidents increased dramatically. As IT vendors become increasingly central to K-12 education, hacks targeting these providers pose a growing threat to student data.
“For students the new law offers another layer of protection,” explains Hāpara CFO David Dinerman, who is part of the team at Hāpara in charge of legal and regulatory issues. “You want to ensure privacy and that information is not being used in an improper way.”
Who does SOPPA impact?
The new law impacts agreements between Illinois school districts and third-party contractors who receive student data—also known as “covered information” under SOPPA. Operators are those which provide online educational or administrative services to schools.
Along with edtech providers like Hāpara, this category encompasses online personalized learning platforms, college and career readiness software providers, providers of online computer games and apps designed for student learning and web-based language-learning platforms.
Why is SOPPA timely?
Schools have become fertile ground for cyber crooks. That’s because schools have been slow to react to an increasingly dangerous security landscape, and they often don’t have updated systems.
Cybersecurity incidents include denial-of-service attacks, ransomware attacks, data breaches and phishing attacks. The number of publicly disclosed events affecting K-12 school systems rose by 18% in 2020. The K-12 Cybersecurity Resource Center and the K-12 Security Information Exchange accounted for 408 incidents that affected 377 organizations across 40 states—the highest number of attacks in one year since the K-12 Cybersecurity Resource Center started tracking such events in 2016. These circumstances have led to school closures and millions of taxpayer dollars lost. Student data breaches involving identity theft and credit fraud have also occurred.
In December 2020, the FBI issued a cybersecurity advisory about technology vulnerabilities and student data. In March 2021, it alerted system administrators to a recent increase in PYSA ransomware that specifically targeted higher education and K-12 schools in 12 states and the United Kingdom.
More than three-fourths of the data breaches that took place at schools last year involved compromises of vendors. This suggests that K-12 cybersecurity would be improved with greater oversight of the edtech industry.
Verizon found that educational institutions experienced the sixth-most cybersecurity incidents out of 20 sectors. Their 2020 Data Breach Investigations Report tallied 819 incidents.
Educational and healthcare records are some of the most sought-after data for cybercriminals. These sectors in particular provide extremely high levels of financial gain for hackers. For example, some student records can fetch up to $265 on the dark web.
“Cybercriminality and heightened focus on security is a trend that’s going to continue to be front and center for K-12 schools,” explains Dinerman.
What does SOPPA compliance look like for schools and districts?
The new law requires public schools to “implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure.”
To support districts as they await additional guidance from the Illinois State Board of Education, which is expected to arrive throughout the coming academic year, the Learning Technology Center of Illinois has published a set of foundational security best practices backed by Illinois school district technology leaders and in alignment with the globally recognized Center for Internet Security Controls. Designed to form the pillars of a strong district wide security program, these 43 reasonable security practices encompass 18 critical security components such as wireless access control, data recovery, malware, vulnerability management, account monitoring and control and data protection.
Given that the majority of security breaches stem from human error, the 43 practices include a robust set of staff training and procedural practices. Consider whether your school or district can answer “yes” to these questions:
- Are all employees able to identify the most common indicators of a security incident?
- Do they know how to report a potential security incident?
- Are teachers and staff aware of common causes of unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email?
- Do all workforce members understand the importance of enabling and utilizing secure authentication?
- Can staff identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls?
- Do workforce members know how to identify and properly store, transfer, archive and destroy sensitive information?
- Are staff members regularly trained to ensure they understand and exhibit the necessary behaviors and skills to help maintain the security of the organization?
Other important components of the new law include communication to stakeholders, namely parents and families, about information sharing and disclosure as well as protocol in the event of a data breach. That means schools need to post on their websites details of the online service providers with whom they share student data.
Additionally, districts must make available a clear and understandable explanation of any information they collect, maintain or disclose, along with the name of any person, entity, third party or governmental agency that the district shares student information with and how that entity uses the information.
How is SOPPA different from previous efforts to protect student data?
Familiarity with student privacy regulations is nothing new for Hāpara. Dinerman references the Family Educational Rights and Privacy Act (FERPA), a 1974 federal law that protects the privacy of student education records. The company has always complied with FERPA.
What’s different about SOPPA is that edtech companies are mandated to sign off on agreements with schools and districts in which they must validate what they’re doing and provide schools with information about the data they’re collecting. The mandates also boil down to mutual compliance with the requirements, meaning that schools themselves must adhere to the same standards they’re requiring vendors to meet.
“This law forces districts to take more responsibility and put more resources into the issue of cybersecurity,” notes Dinerman. He points to recent ransomware attacks where victims have paid big money to be released from the grip of cyberattackers. “It’s a big deal and it’s endemic.”
How Hāpara demonstrates its commitment to schools and students
Hāpara is deeply committed to the safety of students and the school community at large. Therefore, it takes the security and privacy of the personal information that it collects very seriously.
“From a DNA standpoint, we are very mindful about individual rights and student rights in particular. We don’t do any sort of advertising or marketing to kids or students or even parents,” says Dinerman, who verifies that Hāpara is in full compliance with the current version of data security standards. “We’ve never been in a situation where a school requested compliance that Hāpara has been unable or unwilling to meet.”
- We only ask for students’ first and last name, meaning that we don’t collect, use or disclose sensitive learner information, such as social security numbers or home addresses.
- We do not share, sell or rent student data with third parties.
- We anonymize any student identifiable data where appropriate. All student data is encrypted during transmission and in storage.
- We maintain a comprehensive security program made up of administrative, technological and physical safeguards that are designed to protect information.
- We regularly hire security professionals to test our systems as hackers would.
- We don’t retain or utilize user information after a school cancels their subscription. Users own their own data, not Hāpara.
- We hold all our vendors to the same high privacy and security standards we operate under.
Understanding that learners are free to explore beyond the protected space of Hāpara, the company works to give them tools to protect themselves. In conversations with educators in over 40 countries around the world, Hāpara guides them in teaching students to safeguard their data and privacy. Hāpara also provides teachers with learning content to help students develop the know-how to protect their own digital privacy.